Gartner recently released its Market Guide for Network Detection and Response (NDR), an invaluable tool for organizations looking to assess and compare the wide variety of Network Detection and Response (NDR) solutions on the market. Modern organizations have seen a massive expansion of their cyber terrain as they have had to contend with a higher number of cloud services, distributed devices, more network traffic and additional endpoints. As the cyber terrain has grown, organizations have had to evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility of the cyber terrain.
Network Detection and Response is similar to more recent trends in network cybersecurity, including Network Traffic Analysis (NTA) and Network Analysis and Visibility (NAV). In this blog, we will discuss what makes for a good NDR solution, why we believe Fidelis Cybersecurity was selected as a Representative Vendor for Network Detection and Response, and what differentiates the Fidelis platform from other NDR solutions.
What is Network Traffic Analysis vs. Network Detection and Response?
With such a wide range of products describing themselves as “Network Traffic Analysis” solutions, it is first important to realize not all NTA is created equal. Because of this, it is useful to establish a working definition; Gartner defines Network Traffic Analysis (NTA) as a solution that “uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.”
Meanwhile, NDR elevates the role of response on the network. This is an extremely different message from NTA, and cybersecurity professionals need to understand the difference.
Detection uses network data to provide visibility into that same data, presenting it for analysis. Based on visibility, a variety of techniques can be applied to detect cyber threats and risks. These techniques include signature analysis, malware detection, sandboxing, indicators analysis, email security, web security, machine learning and AI, deception, and asset risk analysis. Detection via traffic analysis or visibility remains the keystone of NDR.
NDR proposes that Response is equally important to the role of detection. Detection can be judged in a sliding scale between false positive and false negative results. Too many detections can inundate the security team with too many alerts, too much information, and a feeling of too many false positive detections. Too few detections lead to a false sense of security where no-news is good-news, masking vital information required to truly secure the enterprise.
What Should You Look for When Buying an NDR Solution?
In the NDR Market Guide, Gartner emphasized the growing importance of Detection and Response capabilities in an NDR solution. Remember, at the end of the day, it’s more than just analytics… it’s tying in that understanding of the network traffic as part of your overall detection and response capability.
As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, cyber attacker dwell time is currently measured in terms of months instead of hours or days – this provides attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data.
Cyber attackers typically leverage multiple tactics to evade security tools, but in doing so they also create more opportunities for analysts to find them. Leading network detection and response (NDR) technology captures, processes, and analyzes network traffic to detect and investigate data that may indicate a cyber-attack. Typical network detection and response solutions use a combination of machine learning, advanced analytics, and rule-based detection to detect and respond to suspicious activities on enterprise networks.
To remedy the current dwell time situation, organizations need better options for both automated and manual detection. Ultimately, this is a visibility issue for organizations – many lack the holistic visibility of their cyber environment that is needed to detect threats in cyber relevant time. Ideal network detection and response solutions should aim to provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.
Like detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network Detection and Response solutions should therefore prioritize giving incident responders the tools they need to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.
We believe Fidelis Cybersecurity is noted as a Representative Vendor for providing the above capabilities and much more. This includes bi-directional visibility across all ports and protocols, the ability to retrospectively detect and analyze rich metadata against the latest threat intelligence, and consolidating similar alerts and evidence to speed alert triage. Furthermore, with Fidelis Decryption, we can profile TLS encrypted traffic and seamlessly integrate with Fidelis Endpoint to automate response actions.
Key benefits of the Fidelis platform include:
- Mapping attacker TTPs to the MITRE ATT&CK™ framework for improved alert visualization and ease-of-use
- Gaining bi-directional visibility of all network traffic (including TLS) across all ports and protocols
- Inspecting content multiple levels deep to detect malicious activity and data loss
- Visualizing the network terrain with an interactive map of device communication prioritized by risk
- Detecting anomalous behavior with powerful supervised and unsupervised machine-learning models in our Anomaly Dashboard
- Aggregating alerts, context, and evidence for faster threat investigation and analysis, and reduced alert fatigue
- Knowing your environment by automatically profiling and classifying all networked IT assets
- Risk scoring with behavioral and historical analytics, plus policy and alert management
- Automating response via integration with Fidelis Endpoint®
Download your free copy of the 2020 Gartner Market Guide for Network Detection and Response.